Policy Repository Syncing
Step 4: Server config - policy repo syncing (change detection)
Currently OPAL server supports two ways to detect changes in the policy git repo:
- Polling in fixed intervals - checks every X seconds if new commits are available.
- Github Webhooks - if the git repo is stored on github - you may setup a webhook (we plan to expand to generic webhook in the near future).
Option 1: Using polling (less recommended)
You may use polling by defining the following env var to a value different than 0:
| Env Var Name | Function |
|---|---|
| OPAL_POLICY_REPO_POLLING_INTERVAL | the interval in seconds to use for polling the policy repo |
Option 2: Using a webhook
It is much more recommended to use webhooks if your policy repo is stored in a supported service (currently Github, we are working on expanding this). Webhooks are much more efficient with network traffic, and won't conteminate your logs.
If your server is hosted at https://opal.yourdomain.com the webhook URL you must setup with your webhook provider (e.g: github) is https://opal.yourdomain.com/webhook. See GitHub's guide on configuring webhooks.
Keep in mind that the webhook should be in JSON format.
Typically you would need to share a secret with your webhook provider (authenticating incoming webhooks). You can use the OPAL CLI to create a cryptographically strong secret to use.
Let's install the cli to a new python virtualenv:
pyenv virtualenv opal pyenv activate opal pip install opal-server
Now let's use the cli to generate a secret:
opal-server generate-secret
You must then configure the appropriate env var:
| Env Var Name | Function |
|---|---|
| OPAL_POLICY_REPO_WEBHOOK_SECRET | the webhook secret generated by the cli (or any other secret you pick) |
For more info, check out this tutorial: How to track a git repo.